Re: [Exim] Eximon vs. Exim Webapp security challenge

Top Page
Delete this message
Reply to this message
Author: Greg Folkert
Date:  
To: Blaine Simpson
CC: EximUser List
Subject: Re: [Exim] Eximon vs. Exim Webapp security challenge
--
On Mon, 2004-02-02 at 23:20, Blaine Simpson wrote:
> reg Folkert wrote:
> > --
>
> >>You may notice that the normal procedure at nearly every large IT company
> >>is as follows: The main firewalls from the Internet permit all incoming
> >>traffic on http and https ports. This means that if you have a static IP
> >>inside, you can run a web or web app server and access it from anywhere
> >>on the Internet.
> >
> >
> > Thank you very much, on making yourself look like a "Billy" goat.
> > Firewalls that have admins that are clue endowed, does not permit ALL
> > http and https incoming traffic (80 and 443 respectively). I have
> > configured transparent firewalls for Colleges and Universities. Services
> > I allowed, got through, nothing else. http* only for those sanctioned
> > machines, smtp* only for those sanctioned machines, ssh only sanctioned
> > machines... etc.
>
> If you ever break out of your dreamland, you will realize that most large
> establishments, including C&W, MCI, Nextel, the parts of AOL where I
> worked on the network, all do it this way. The reason is, web servers
> are stood up every day, and in universities and businesses outside of
> your imagination, they do not update firewalls each time. People who
> have access to static, public IPs understand that if they run something
> on port 80, they are responsible for it. Most people have private-space
> IPs. I'm sure when they hear about your disapproval that they'll change
> that policy.


Seems a good excuse for you. You just keep on the status quo. If you do
not understand the implications, well there is not much I can do for
you.

> > Gotta understand Rules of Execution. Interface Policy -> Fragments ->
> > NAT -> Mangle -> Global Policy. I have a feeling you have not one
> > single clue.
>
> I've spent my working life working with all facets of this stuff on
> the biggist networks in govt and industry, from NASA to Nextel, while
> you have been imagining how things would be "if you ran things". You
> should quiet down until you've spent a few years coding TCP/IP,
> snooping networks, working with a wide variety of hardware and OSes.


Exactly how old are you? 12 or 62?

If you did half the things you said you have done... the EnTarNetter
thinger would be a FAR better place... with responsible people running
well admin'd, patched, updated systems with competent OSes, no Black
Hats would even begin to be able to survive.

No... I have also done many things that would cause you to re-evaluate
your skill. I have and may still run Honey-pots, have done risk
evaluation on government systems, done coroner reports on compromised
machines, broken into "supposedly" secure corporate private networks on
behalf of some large companies and then helped them fix the problems.
Using Social Engineering, known holes (personal webservers on desktops
in Windows), Rules testing on firewalls and find the thin-spots, session
reconstruction...

Sure, go ahead and believe you are the best. I know I am not, because I
know the best crackers are never even seen or heard about. You my dear
sir, make tons of noise, betraying your supposed skill.

BTW, Thank you for starting to follow simple netiquette.

I also consider this to be the last response to this, as it is getting
to be a pissing match.
--
greg@???
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry
--
Content-Description: This is a digitally signed message part

[ signature.asc of type application/pgp-signature deleted ]
--